[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption
From:       Solar Designer <solar () openwall ! com>
Date:       2016-03-26 14:52:11
Message-ID: 20160326145211.GA22709 () openwall ! com
[Download RAW message or body]

On Tue, Mar 22, 2016 at 11:58:39PM +0300, Solar Designer wrote:
> The primary reason I am posting this is so that other distros know the
> vulnerability was apparently shown to be exploitable.

And that's not the end of the story:

https://lwn.net/SubscriberLink/681062/b974fb24a6c4617b/

"Posted Mar 25, 2016 13:23 UTC (Fri) by BenHutchings (subscriber, #37955) [Link]

Unfortunately the fix by Seth Jennings for RHEL, later applied to
stable branches, was still incorrect, leading to CVE-2016-0774. I hope
AOSP picks up the second fix as well."

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0774

"Petr Matousek  2016-02-02 09:34:35 EST 

It was found that the fix for CVE-2015-1805 incorrectly kept buffer
offset and buffer length in sync on failed atomic read, potentially
resulting in pipe buffer state corruption.

A local, unprivileged user could use this flaw to crash the system or
leak kernel memory to user-space.

Upstream Linux kernel is not affected by this flaw as it was introduced
by the Red Hat Enterprise Linux only fix for CVE-2015-1805.

Acknowledgements:

The security impact of this issue was discovered by Red Hat."

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]